also sprach Moritz Muehlenhoff <[EMAIL PROTECTED]> [2005.06.28.0156 +0200]:
> Have a look at the system we use for the testing security team (I
> always thought it originated in the security team):
> http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html
>
> This sys
On Monday 27 June 2005 20:39, Marek Olejniczak wrote:
I don't understand the philosophy of Debian security team. It's really
so difficult to push into sarge spamassassin 3.0.4 which is not
vulnerable? This version is in Debian testing and why this version
can't be push into stable?
Seems that y
REPLICASONLINE - WE NEVER COMPROMISE ON QUALITY
Rolex replica is our speciality
We guarantee lowest prices and highest quality
We are the Direct manufacturers.
For top quality rolex watchs pleas visit:
http://www.chooseyourwatch4u.net
tidbit nk thiocyanate ifv [2
--
To UNSUBSCRIBE, e
On Tue, Jun 28, 2005 at 01:56:55AM +0200, Moritz Muehlenhoff wrote:
> Have a look at the system we use for the testing security team (I always
> thought it originated in the security team):
> http://lists.alioth.debian.org/pipermail/secure-testing-commits/2005-June/thread.html
>
> This system is
On Tue, Jun 28, 2005 at 01:29:12AM +0200, martin f krafft wrote:
So if we all recognise it as a problem, it will solve itself?
Nothing's useful if people won't use it.
Mike Stone
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
In gmane.linux.debian.devel.security, you wrote:
>>Part of the problem with security updates has to do with the fact that
>>it's just difficult to coordinate the work. Even when Wichert, mdz, and
>>others were more active, Joey still did most of the work because it was
>>often easier for one perso
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.28.0044 +0200]:
> The security secretaries were originally going to be part of the
> solution, and there was talk from some people about writing
> a tracking system that didn't materialize. Mostly I think it just
> needs recognition that it's a
On Tue, Jun 28, 2005 at 12:00:28AM +0200, martin f krafft wrote:
Do you guys see this as a de facto state with no solution, or is
a good solution simply waiting to be found?
The security secretaries were originally going to be part of the
solution, and there was talk from some people about writ
Am Sonntag, 19. Juni 2005 08:45 schrieb Steve Langasek:
> On Sun, Jun 19, 2005 at 12:31:23AM -0400, sean finney wrote:
> > please excuse this blatant cross-posting, i wouldn't do it if i didn't
> > think it were critical that i do so...
> >
> > http://www.infodrom.org/~joey/log/?200506142140
> >
>
also sprach martin f krafft <[EMAIL PROTECTED]> [2005.06.27.2100 +0200]:
> There is a problem with that, namely responsible disclosure. The
> team cannot be too big or else the other organisations in the
> consortium will object for danger of leakage.
>
> I think what we do need though is an infra
> > That's exactly it. There's no effective tracking of security problems,
> > and some people don't see this as a problem. That makes it extremely
> > difficult for others to see what needs to be done.
>
> Do you guys see this as a de facto state with no solution, or is
> a good solution simply w
also sprach Michael Stone <[EMAIL PROTECTED]> [2005.06.27.2251 +0200]:
> On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote:
> >Part of the problem with security updates has to do with the fact that
> >it's just difficult to coordinate the work. Even when Wichert, mdz, and
> >others we
On Mon, Jun 27, 2005 at 09:05:20PM +0200, Frans Pop wrote:
> Even if 3.0.4 contains only the security fix
It doesn't, BTW:
http://wiki.apache.org/spamassassin/changes304
// Ulf
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Mon, Jun 27, 2005 at 07:36:50PM +, Paul Hink wrote:
> Having one's workstation compromised (e.g. due to some vulnerability of
> Mozilla) is a serious thing. There might be confidential data (e.g.
> private e-mails) stored on it and in many cases it makes compromising a
> server much easier a
On Mon, Jun 27, 2005 at 07:43:50PM +0100, Steve Kemp wrote:
In some cases fixing a problem, which an upstream will not, or
which the package maintainer cannot is *very* hard work. (eg. Mozilla/
Kernel images).
Damn near impossible, in the case of mozilla. I trolled several times on
debian-sec
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote:
Part of the problem with security updates has to do with the fact that
it's just difficult to coordinate the work. Even when Wichert, mdz, and
others were more active, Joey still did most of the work because it was
often easier for
Steve Kemp wrote:
>On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote:
>
>
>
>>Even allowing uploads from the secretaries could be helpful.
>>
>>
>
> Definitely.
>
> I've got fixed packages available right now for some of the
> bugs which have been raised in this thread, bu
Adam Majer <[EMAIL PROTECTED]> wrote:
> Jan Lühr wrote:
>> In it's last one to two years Woody was starving out of security
>> updates. (Samba, Mozilla, Kernel, etc.).
> These are much less of a problem since they deal with either Intranet
> only applications (Samba),
"Intranet" is not a synon
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2116 +0200]:
> of a "secretary". (though, when trying to do that kind of work,
> I've always found that I'm a whole lot better at hacking than I am
> at secretarial work; I suspect that's the case with a lot of
> developers)
Barring that I
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote:
> > The secretary position was originally created to help this
> > situation, but it was never really clear to me what my role was
> > supposed to be.
>
> I never understood it either.
>
> How much information can be disclosed abou
> At the same time, though, I think we need to take immediate action.
> Among the first steps would be the analysis of the status quo. I am
> going through the list of CVEs right now. There are *loads*. And
> I could need help. I'll ping out to joeyh to see if we could put his
> scripts for testing
On Mon, Jun 27, 2005 at 09:05:53PM +0200, martin f krafft wrote:
>
> How much information can be disclosed about the inner workings of
> the security team without damage?
Most, but not all, of the security team's work is rather routing and
very uninteresting. Often it is necessary to review code
Greetings,
Am Montag, 27. Juni 2005 20:10 schrieb Adam Majer:
> Jan Lühr wrote:
> >Greetings,
> >
> >Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel:
> >>Does anybody know what the actual problem is, i.e. why there are no
> >>updates?
> >
> >This is not an "actual" problem, this problem is
also sprach Frans Pop <[EMAIL PROTECTED]> [2005.06.27.2105 +0200]:
> Even if 3.0.4 contains only the security fix, it will still be backported
> and released as 3.0.3-1sarge1 or something like that.
That's actually not guaranteed. If 3.0.4 contains only the security
fix and really nothing else, I
also sprach Marek Olejniczak <[EMAIL PROTECTED]> [2005.06.27.2039 +0200]:
> I don't understand the philosophy of Debian security team. It's
> really so difficult to push into sarge spamassassin 3.0.4 which is
> not vulnerable? This version is in Debian testing and why this
> version can't be push i
also sprach Noah Meyerhans <[EMAIL PROTECTED]> [2005.06.27.2036 +0200]:
> Part of the problem with security updates has to do with the fact
> that it's just difficult to coordinate the work. Even when
> Wichert, mdz, and others were more active, Joey still did most of
> the work because it was oft
On Monday 27 June 2005 20:39, Marek Olejniczak wrote:
> I don't understand the philosophy of Debian security team. It's really
> so difficult to push into sarge spamassassin 3.0.4 which is not
> vulnerable? This version is in Debian testing and why this version
> can't be push into stable?
Seems t
also sprach Matt Zimmerman <[EMAIL PROTECTED]> [2005.06.27.2026 +0200]:
> I expect it would be enough if they were all active, but that has
> never been the case for this group. Wichert, Daniel, Michael and
> myself are all de facto inactive for various reasons, and have
> been for some time.
I,
Am Montag, den 27.06.2005, 11:26 -0700 schrieb Matt Zimmerman:
> > # Security Team -- <[EMAIL PROTECTED]>
> > /member/ Martin Schulze
> > /member/ Wichert Akkerman
> > /member/ Daniel Jacobowitz
> > /member/ Michael Stone
> > /member/ Matt Zimmerman
> > /secretary/ No
Matt Zimmerman wrote on 27/06/2005 20:26:
> On Mon, Jun 27, 2005 at 01:10:10PM -0500, Adam Majer wrote:
>
>>are happy the fix will not mess up current functionality. How many
>>people do we need on the actual security team? The current listing states,
>>
>># Security Team -- <[EMAIL PROTECTED]>
>
On Mon, Jun 27, 2005 at 08:39:43PM +0200, Marek Olejniczak wrote:
> I don't understand the philosophy of Debian security team. It's really so
> difficult to push into sarge spamassassin 3.0.4 which is not vulnerable?
> This version is in Debian testing and why this version can't be push into
>
On Mon, Jun 27, 2005 at 02:36:12PM -0400, Noah Meyerhans wrote:
> Even allowing uploads from the secretaries could be helpful.
Definitely.
I've got fixed packages available right now for some of the
bugs which have been raised in this thread, but until somebody
can push out the advisor
On Mon, 27 Jun 2005, Matt Zimmerman wrote:
The security team has always been a difficult one to expand. A strong level
of trust is necessary due to confidentiality issues, and security support is
a lot of (mostly boring and thankless) work. However, expanding it seems
like the only way to make
On Mon, Jun 27, 2005 at 11:26:37AM -0700, Matt Zimmerman wrote:
> The security team has always been a difficult one to expand. A strong level
> of trust is necessary due to confidentiality issues, and security support is
> a lot of (mostly boring and thankless) work. However, expanding it seems
>
On Monday 27 June 2005 20:26, Matt Zimmerman wrote:
> I expect it would be enough if they were all active, but that has
> never been the case for this group. Wichert, Daniel, Michael and
> myself are all de facto inactive for various reasons, and have been
> for some time.
And according to Steve
On Mon, Jun 27, 2005 at 01:10:10PM -0500, Adam Majer wrote:
> are happy the fix will not mess up current functionality. How many
> people do we need on the actual security team? The current listing states,
>
> # Security Team -- <[EMAIL PROTECTED]>
> /member/ Martin Schulze
> /member/ W
Jan Lühr wrote:
>Greetings,
>
>Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel:
>
>
>>Does anybody know what the actual problem is, i.e. why there are no
>>updates?
>>
>>
>
>This is not an "actual" problem, this problem is rather imho structual. In
>it's last one to two years Woody
also sprach Bob Tanner <[EMAIL PROTECTED]> [2005.06.27.1939 +0200]:
> How would one go about getting on the security team?
Current practice is: you don't. The security team advises you to
send notices and patches their way. At any point, they may invite
people who have made significant contributio
[cc'ing -project]
also sprach W. Borgert <[EMAIL PROTECTED]> [2005.06.27.1525 +0200]:
> Just FYI: The well-known German Heise Newsticker (IT related) has an
> article today with the title "Debian without security update for
> several weeks": http://www.heise.de/newsticker/meldung/61076
> Hm, bad r
Bob Tanner wrote:
>How would one go about getting on the security team?
>
>If the entry into the security team is as convoluted as becoming a debian
>developer I understand why the security team does not have enough active
>members.
>
>
I would assume you need to be a DD before you can join th
On Monday 27 June 2005 09:53 am, Martin Lohmeier wrote:
> time to get s.d.o working --> not enough active member in the security
> team.
How would one go about getting on the security team?
If the entry into the security team is as convoluted as becoming a debian
developer I understand why the s
Greetings,
Am Montag, 27. Juni 2005 15:54 schrieb Carl-Eric Menzel:
> On Mon, 27 Jun 2005 15:50:19 +0200, "Jan Wagner" <[EMAIL PROTECTED]> said:
> > On Monday 27 June 2005 15:25, W. Borgert wrote:
> > > Just FYI: The well-known German Heise Newsticker (IT related) has an
> > > article today with t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Carl-Eric Menzel wrote:
> Does anybody know what the actual problem is, i.e. why there are no
> updates?
>
> Carl-Eric
>
>
Hi,
problem: http://www.infodrom.org/~joey/log/?200506142140
In the discussion on the heise.de article people mentioned [1]
On Mon, 27 Jun 2005 15:50:19 +0200, "Jan Wagner" <[EMAIL PROTECTED]> said:
> On Monday 27 June 2005 15:25, W. Borgert wrote:
> > Just FYI: The well-known German Heise Newsticker (IT related) has an
> > article today with the title "Debian without security update for
> > several weeks": http://www.h
On Monday 27 June 2005 15:25, W. Borgert wrote:
> Just FYI: The well-known German Heise Newsticker (IT related) has an
> article today with the title "Debian without security update for
> several weeks": http://www.heise.de/newsticker/meldung/61076
> Hm, bad reputation for us...
This was only a qu
Just FYI: The well-known German Heise Newsticker (IT related) has an
article today with the title "Debian without security update for
several weeks": http://www.heise.de/newsticker/meldung/61076
Hm, bad reputation for us...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubsc
46 matches
Mail list logo
